Pierluigi Paganini March 31, 2025

Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.

Talos researchers warn that Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) targets Ukraine with a phishing campaign. The cyberespionage group is behind a long series of spear-phishing attacks targeting Ukrainian entities, and organizations related to Ukrainian affairs. The APT group has been launching cyber-espionage campaigns against Ukraine since at least 2014.

The threat actor is using troop-related lures to deploy the Remcos RAT via PowerShell downloader.

The campaign has been active since at least November 2024, the PowerShell downloader connects to geo-fenced servers in Russia and Germany to retrieve a ZIP file with the Remcos backdoor.

“Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024.” reads the Talos report. “The second stage payload uses DLL side loading to execute the Remcos payload. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group.”

Threat actor distributes LNK files compressed inside ZIP archives as part of the recent phishing campaign, usually disguising the file as an Office document and uses names related to the military invasion.  

Gamaredon likely sends phishing e-mails with either an attached ZIP file or that contain a URL link pointing to the file hosted on a remote host.  

The malicious LNK files, created on two machines, contain PowerShell code to download the next stage payload and a decoy file to disguise the infection.

The PowerShell code avoids antivirus detection by using Get-Command to execute the payload. The researchers noticed that the servers only responded to requests from Ukraine, while connections from Germany and Russia return HTTP 403 errors, possibly restricting access to Ukrainian victims. Evidence shows the servers were still hosting files for specific regions.

Gamaredon typically uses custom scripts and tools but has recently been observed employing the Remcos backdoor in their campaigns. The attack involves downloading a ZIP payload from servers, extracting it to the %TEMP% folder, and executing a seemingly clean application that loads a malicious DLL via DLL sideloading. This DLL acts as a loader, decrypting and executing the final Remcos payload from encrypted files within the ZIP.

The PowerShell scripts used to download the ZIP files suggest abuse of legitimate applications for DLL sideloading and contain a mix of clean and malicious files.

“We can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application TivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by “TivoDiag.exe” during execution.” continues the report.

The report includes Indicators of Compromise (IoCs) for this threat along with Snort rules for its detection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)